2026-06-117 minhigh

Cyber-Enabled Maritime Sanctions Evasion

Sanctions Evasion Networks (SENs) supporting Iranian and Russian shadow fleets are operating a complex ecosystem of inauthentic websites to bypass maritime compliance. These networks impersonate legitimate maritime authorities and utilize automated document generation tools to produce fraudulent ship and seafarer certificates, complicating detection by regulatory and enforcement bodies.

Conf:highAnalyzed:2026-06-11Google

Authors: Recorded Future, Insikt Group

IOCs · 44

.txt .json

domain
alliance-scs[.]orgCluster Charlie fraudulent classification society.
domain
atlasregister[.]netCluster Alpha inauthentic maritime domain.
domain
atlasregister[.]orgCluster Alpha inauthentic maritime domain.
domain
beninmaritime[.]bjCluster Alpha inauthentic domain impersonating Benin maritime authority.
domain
beninmaritime[.]coCluster Alpha inauthentic domain impersonating Benin maritime authority.
domain
beninmaritime[.]inCluster Alpha inauthentic domain impersonating Benin maritime authority.
domain
beninmaritime[.]netCluster Alpha inauthentic domain impersonating Benin maritime authority.
domain
benin-maritime[.]orgCluster Charlie inauthentic domain impersonating Benin maritime authority.
domain
beninmaritime[.]orgCluster Alpha inauthentic domain impersonating Benin maritime authority.
domain
brunieshipclass[.]orgCluster Charlie inauthentic maritime domain.
domain
btn-shipreg[.]comCluster Charlie inauthentic domain impersonating Bhutan ship registry.
domain
cameroonshipregistry[.]orgCluster Charlie inauthentic domain impersonating Cameroon ship registry.
domain
chad-maradmin[.]orgCluster Charlie inauthentic domain impersonating Chad maritime administration.
domain
epnicaragua[.]comCluster Alpha inauthentic domain impersonating Nicaragua maritime authority.
domain
epnicaragua[.]orgCluster Alpha domain impersonating a Nicaraguan maritime authority, linked to Oceaniek Technologies.
domain
eqguinea-shipadmin[.]orgCluster Charlie inauthentic domain impersonating Equatorial Guinea ship administration.
domain
gove[.]bjCluster Alpha typosquatting domain.
domain
guve[.]bjCluster Alpha typosquatting domain.
domain
haiti-shipreg[.]comCluster Charlie inauthentic domain impersonating Haiti ship registry.
domain
hellasnaval[.]comCluster Bravo domain masquerading as Hellas Naval Bureau of Shipping.
domain
hellasnaval[.]netCluster Bravo domain masquerading as Hellas Naval Bureau of Shipping.
domain
hss-registry[.]orgCluster Charlie inauthentic maritime domain.
domain
imsag[.]orgCluster Bravo domain impersonating a Guyanese maritime administration.
domain
imsnaval[.]comCluster Bravo domain masquerading as International Marine Services.
domain
imspanel[.]comCluster Bravo domain hosting login panels for fake classification societies.
domain
isithin[.]comCluster Bravo domain masquerading as International Seafarers Institute.
domain
marinegov[.]orgCluster Bravo inauthentic maritime domain.
domain
medlloyd[.]onlineCluster Bravo domain masquerading as Med Lloyd Classification Society.
domain
medlloyd[.]orgCluster Bravo domain masquerading as a legitimate ship classification society (Med Lloyd Classification Society).
domain
mpabd-shipregistry[.]orgCluster Charlie inauthentic maritime domain.
domain
nauticacentro[.]comCluster Bravo domain masquerading as Centro de Educación Náutica Mercante.
domain
nauticacentro[.]mxCluster Bravo domain masquerading as Centro de Educación Náutica Mercante.
domain
niataregister[.]netCluster Alpha inauthentic maritime domain.
domain
niataregister[.]orgCluster Alpha inauthentic maritime domain.
domain
olymposnaval[.]comCluster Bravo domain masquerading as Olymbos Naval.
domain
pdf[.]beninmaritime[.]coSubdomain hosting a Django-based Certificate PDF Generator used to create fraudulent seafarer documents.
domain
pioneersmaritime[.]comCluster Charlie domain acting as a fraudulent recognized organization (RO) that mutually endorses other fake registries.
domain
registry[.]zmgov[.]orgCluster Alpha inauthentic domain impersonating Zambia ship registry.
domain
sasmaa[.]clubCluster Charlie domain masquerading as a P&I club.
domain
zambmaritime[.]orgCluster Charlie inauthentic domain impersonating Zambia maritime authority.
domain
zambshipadmin[.]orgCluster Charlie inauthentic domain impersonating Zambia ship administration.
ip
151[.]80[.]4[.]227Hosting infrastructure for Olymbos Naval, a fraudulent entity linked to Med Lloyd and HNBS.
ip
159[.]198[.]36[.]123Infrastructure hosting multiple Cluster Bravo maritime impersonation domains.
ip
217[.]76[.]51[.]133Infrastructure hosting at least fourteen inauthentic ship registry and classification society websites associated with Cluster Charlie.

Detection / HunterGoogle

What Happened

Threat actors supporting Russian and Iranian shipping fleets are creating fake websites to bypass international sanctions. These websites pretend to be official maritime organizations from various countries, issuing fake certificates and documents for ships and their crews. This matters because it allows sanctioned vessels to continue operating and transporting goods illegally, undermining global security measures. Organizations in the maritime industry should enhance their verification processes and use threat intelligence to spot these fake documents.

Key Takeaways

Iranian and Russian shadow fleets are utilizing over 36 inauthentic websites to evade maritime sanctions.
The fraudulent infrastructure impersonates national maritime administrations, ship registries, and classification societies to issue fake documentation.
Threat actors use automated tools, such as Django-based PDF generators, to create fraudulent seafarer certificates complete with QR codes.
The infrastructure is divided into three distinct clusters (Alpha, Bravo, Charlie), utilizing tactics like mutual endorsements to build artificial credibility.
Cluster Alpha has ties to an Indian web development company, while Cluster Bravo is linked to Syrian nationals operating out of Türkiye.

Affected Systems

Maritime compliance workflows
Due diligence processes
Port inspection verification systems

Attack Chain

Sanctions Evasion Networks (SENs) establish inauthentic websites that typosquat or impersonate legitimate national maritime administrations, ship registries, and classification societies. They utilize these platforms to generate fraudulent documentation, such as seafarer certificates and ship inspection records, often employing automated PDF generators and QR codes to simulate authenticity. The networks then use mutual endorsement tactics, where fake registries validate fake classification societies, creating a closed loop of fabricated credibility. Finally, sanctioned vessels present these fraudulent documents during port inspections and due diligence checks to bypass international sanctions and continue illicit operations.

Detection Availability

YARA Rules: No
Sigma Rules: No
Snort/Suricata Rules: No
KQL Queries: No
Splunk SPL Queries: No
EQL Queries: No
Other Detection Logic: No

The article does not provide specific detection rules (YARA, Sigma, etc.) but relies on infrastructure analysis and brand intelligence tracking.

Detection Engineering Assessment

EDR Visibility: None — The activity involves external web infrastructure, typosquatting, and document forgery, which do not interact with internal endpoints. Network Visibility: Low — Network telemetry would only capture activity if internal users (e.g., compliance officers) actively browse to or query the fraudulent domains during investigations. Detection Difficulty: Hard — Detecting this activity relies heavily on external threat intelligence, brand monitoring, and manual verification of document authenticity rather than standard technical signatures.

Required Log Sources

DNS Logs
Web Proxy Logs

Hunting Hypotheses

copy:

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Users within maritime compliance or port authority networks are querying known fraudulent registry domains.	DNS Logs, Web Proxy Logs	Reconnaissance/Verification	Low
Scanned QR codes from physical maritime documents are resolving to unofficial, non-governmental TLDs (.com, .org, .net) instead of official government domains.	Web Proxy Logs	Execution/Verification	Medium

Control Gaps

Automated document verification systems
Independent maritime registry validation processes

Key Behavioral Indicators

QR codes on official documents pointing to non-governmental TLDs (.com, .org instead of .gov)
Certificates issued by unrecognized or multi-jurisdictional classification societies
Maritime administration contact emails using generic or typosquatted domains

False Positive Assessment

Recommendations

Immediate Mitigation

Verify against your organization's incident response runbook and team escalation paths before acting.
Consider blocking access to the identified fraudulent domains on corporate networks to prevent accidental interaction or reliance during compliance checks.

Infrastructure Hardening

Evaluate implementing strict DNS filtering for known typosquatted domains related to maritime authorities and registries.

User Protection

If applicable, consider deploying brand protection and monitoring services to detect newly registered domains impersonating your organization or trusted partners.

Security Awareness

Consider training compliance and due diligence teams to manually verify the URLs embedded in QR codes on physical maritime certificates.
Evaluate educating staff on the risks of relying solely on digital certificates without cross-referencing official IMO databases (e.g., GISIS).

MITRE ATT&CK Mapping

T1583.001 - Acquire Infrastructure: Domains
T1583.006 - Acquire Infrastructure: Web Services
T1036 - Masquerading

Additional IOCs

Ips:
- 151[.]80[.]4[.]227 - Hosting infrastructure for Olymbos Naval, a fraudulent entity linked to Med Lloyd and HNBS.
Domains:
- alliance-scs[.]org - Cluster Charlie fraudulent classification society.
- atlasregister[.]net - Cluster Alpha inauthentic maritime domain.
- atlasregister[.]org - Cluster Alpha inauthentic maritime domain.
- benin-maritime[.]org - Cluster Charlie inauthentic domain impersonating Benin maritime authority.
- beninmaritime[.]bj - Cluster Alpha inauthentic domain impersonating Benin maritime authority.
- beninmaritime[.]co - Cluster Alpha inauthentic domain impersonating Benin maritime authority.
- beninmaritime[.]in - Cluster Alpha inauthentic domain impersonating Benin maritime authority.
- beninmaritime[.]net - Cluster Alpha inauthentic domain impersonating Benin maritime authority.
- beninmaritime[.]org - Cluster Alpha inauthentic domain impersonating Benin maritime authority.
- brunieshipclass[.]org - Cluster Charlie inauthentic maritime domain.
- btn-shipreg[.]com - Cluster Charlie inauthentic domain impersonating Bhutan ship registry.
- cameroonshipregistry[.]org - Cluster Charlie inauthentic domain impersonating Cameroon ship registry.
- chad-maradmin[.]org - Cluster Charlie inauthentic domain impersonating Chad maritime administration.
- epnicaragua[.]com - Cluster Alpha inauthentic domain impersonating Nicaragua maritime authority.
- eqguinea-shipadmin[.]org - Cluster Charlie inauthentic domain impersonating Equatorial Guinea ship administration.
- gove[.]bj - Cluster Alpha typosquatting domain.
- guve[.]bj - Cluster Alpha typosquatting domain.
- haiti-shipreg[.]com - Cluster Charlie inauthentic domain impersonating Haiti ship registry.
- hellasnaval[.]net - Cluster Bravo domain masquerading as Hellas Naval Bureau of Shipping.
- hellasnaval[.]com - Cluster Bravo domain masquerading as Hellas Naval Bureau of Shipping.
- hss-registry[.]org - Cluster Charlie inauthentic maritime domain.
- isithin[.]com - Cluster Bravo domain masquerading as International Seafarers Institute.
- marinegov[.]org - Cluster Bravo inauthentic maritime domain.
- medlloyd[.]online - Cluster Bravo domain masquerading as Med Lloyd Classification Society.
- mpabd-shipregistry[.]org - Cluster Charlie inauthentic maritime domain.
- nauticacentro[.]com - Cluster Bravo domain masquerading as Centro de Educación Náutica Mercante.
- nauticacentro[.]mx - Cluster Bravo domain masquerading as Centro de Educación Náutica Mercante.
- niataregister[.]net - Cluster Alpha inauthentic maritime domain.
- niataregister[.]org - Cluster Alpha inauthentic maritime domain.
- registry[.]zmgov[.]org - Cluster Alpha inauthentic domain impersonating Zambia ship registry.
- sasmaa[.]club - Cluster Charlie domain masquerading as a P&I club.
- zambmaritime[.]org - Cluster Charlie inauthentic domain impersonating Zambia maritime authority.
- zambshipadmin[.]org - Cluster Charlie inauthentic domain impersonating Zambia ship administration.
- imsnaval[.]com - Cluster Bravo domain masquerading as International Marine Services.
- imsag[.]org - Cluster Bravo domain impersonating a Guyanese maritime administration.
- olymposnaval[.]com - Cluster Bravo domain masquerading as Olymbos Naval.
- imspanel[.]com - Cluster Bravo domain hosting login panels for fake classification societies.
Urls:
- medlloyd.online.beninmaritime.net - Subdomain linking Cluster Alpha infrastructure to Cluster Bravo.
- malawi.marinegov.org - Subdomain impersonating Malawi ship registry.
- malawi.shipregistry.marinegov.org - Subdomain impersonating Malawi ship registry, displaying fake certificates.
- hellasnaval.net.olymposnaval.com - Subdomain hosting a login page for a fraudulent classification society.
- imspanel.com.olymposnaval.com - Subdomain hosting a login page for a fraudulent classification society.
- medlloyd.online.olymposnaval.com - Subdomain hosting a login page for a fraudulent classification society.
- bma.gov.bj - Inauthentic subdomain impersonating Benin maritime authority.
Other:
- [email protected] - Email address used by fraudulent Benin Maritime Administration websites.
- [email protected] - Typosquatted email address spoofing a legitimate Benin government contact.
- [email protected] - Contact email address listed on a fraudulent Malawi Maritime Administration website.